Data has become the lifeblood of the enterprise, providing competitive differentiation, customer insights and product ideas. With the plummeting costs of storage, sensors and compute, the typical organization is eagerly accumulating more and more data.
But, while data brings opportunity, it can also expose enterprises to significant legal and financial liability. Organizations need to address the following five data security challenges to successfully maintain the confidentiality, integrity and availability of sensitive information.
1. Data awareness
Often, one of the first challenges a CISO faces is determining an organization's actual data footprint, which is often much larger than expected and can change minute to minute. Consider the elastic use of public cloud, on-demand API integrations and IoT sensor software updates -- in which, for instance, a dormant integrated camera might suddenly come alive and start generating data due to a software feature activation.
To keep up with this constantly shifting landscape, organizations need to have a data inventory and use data classification. Data footprint monitoring tools that are automated, scalable and adaptable help with these tasks. Data risk assessments can also help improve overall data awareness.
2. Variable data compliance requirements
Regulatory authorities across different states, countries and regions operate from their own playbooks and on their own timelines. While many organizations hope a common data privacy framework eventually emerges, procrastinating on compliance is inadvisable. European regulators, for instance, are getting much stricter with respect to data compliance enforcement, and fines for violations can be significant.
Find a partner who can help interpret and navigate relevant privacy laws and ensure data compliance and regulatory compliance. Automated compliance software tools are an alternative for smaller organizations with tighter budgets.
3. Data longevity growth
Thanks to the low cost, elasticity and ubiquity of cloud storage, enterprises can now retain unprecedented amounts of data for unlimited lengths of time. This is good news for business leaders who use analytics to extract value from big data. But it presents a huge challenge for CISOs who wish to reduce their organizations' data footprints to lower the risk of data compromise.
Security and business leaders should work together to establish a data termination process that supports business needs while still aligning with organizational cyber-risk appetite. Establishing a trigger for data destruction is a good place to start -- for instance, if no application has touched a data lake in more than a year. Ensure primary, secondary and tertiary data are encrypted and periodically purged.
4. Employee departures
Employee resignations and terminations raise the risk of insider attacks. For malicious former and soon-to-be-former end users, corporate data presents a ripe target for theft and auction on the ransomware market, whether their motivation is revenge or profit. External threat actors may also gain access to sensitive information by hacking into former employees' dormant accounts if organizations fail to disable them in a timely manner.
To protect against these threats, enforce granular access control policies, and revoke users' access privileges as soon as they leave or change roles. User and entity behavior analytics can also help identify insider threats and compromised inactive accounts.
5. Invasive data technologies
Another factor contributing to organizations' exploding data footprints is the emergence of increasingly invasive new business technologies. Immersive, personalized virtual reality experiences, for example, require the collection of excessive amounts of personal data from the end user. Knowledge is power, and from a business perspective, that level of information gives enterprises huge advantages in predicting and manipulating customer behavior. From a data privacy and security perspective, however, the implications are troubling. And the regulatory framework, while it does put some bounds on such activity, lags behind new technologies such as the metaverse and the cybersecurity challenges they bring.
As a CISO, make sure the organization treats customer data it collects in emerging environments with caution and care. At a minimum, end users should have access to transparent data privacy disclosure statements that the typical human would understand. Beyond that, take a leaf from existing environments, such as cloud and IoT, and work with business leaders to create a framework for data governance.